05 February 2021

Getting back on Treck: more vulnerabilities in the infamous TCP/IP Stack

The story with vulnerabilities in network software by Treck Inc. continues: information was published last week about three more vulnerabilities in the vendor’s TCP/IP stack – this time, in the IPv6 implementation in version 6.0.1.67 of the stack.

As many will recall, Treck gained notoriety last year, when a set of 19 vulnerabilities, which was dubbed Ripple20, was discovered. A critical stack-based buffer overflow vulnerability was recently reported. Its exploitation could lead to arbitrary code execution. If the web server is running with root privileges (which is often the case with IoT devices), this could result in the device being completely compromised.

The newly identified vulnerabilities have lower severity ratings. CVE-2020-27336, for which a CVSS v3.1 base score of 5.3 has been calculated, has to do with the possibility of an out-of-bounds read of up to three bytes. CVE-2020-27337, which has been assigned a severity rating of 7.3, could make it possible to cause a denial-of-service condition remotely due to an out-of-bounds write. The exploitation of CVE-2020-27338 could also cause a denial-of-service condition; however, since the flaw is in the implementation of the DHCPv6 protocol, an attack can only be carried out on the vulnerable device’s local network. In consequence, this vulnerability has a lower severity rating – 7.1 on the CVSS v3.1 scale.

Researchers refer to out-of-bounds reads or writes, rather than buffer overflow. Errors that give rise to this kind of vulnerability are typical of computation implementations in parsers of received data packets. For example, the mechanism used to parse fragmented data could be vulnerable. There are widely known fragment parsing vulnerabilities in IPv4 implementations, but, like other protocol functions, the implementation of fragmentation in IPv6 is different from that in IPv4. This means that, when doing a security analysis of code used in an implementation, one should not only keep in mind the past experience but perhaps look out for new types of flaws, as well. And, although the security of IPv6 fragmentation has long been a subject of research, it is most likely that we will learn of new vulnerabilities in implementations of the IPv6 protocol by this and other vendors.

To fix the above vulnerabilities, the stack should be updated to version 6.0.1.68 or higher. In cases where a product, such as an IoT gateway or PLC, uses vulnerable versions of Treck software as third-party components, Treck recommends that users contact the product’s vendor or reseller to address the issue. This means that ideally, all manufacturers of IoT and other devices affected by the issue should release the relevant security advisories and make security updates available. One example is a Schneider Electric security notification of the buffer overflow vulnerability in the Treck web server that was mentioned above.

Vulnerability information publication date: January 26, 2021.

Sources: NIST, Treck